10 FAS: 10 – Apple’s Mac and iPhone Security Crisis

August 2nd, 2007

Daniel Eran DilgerWindows Enthusiasts weary of making excuses for Microsoft’s security failures have discovered that the best defense is a good offense.

Fake Apple Scandal 10: Apple’s Mac and iPhone Security Crisis!Ignoring the fact that every desktop infested with malware is running Windows, and dismissing the reality that every headline grabbing worm and every virus crisis that disrupts business and results in expensive cleanup efforts has similarly been the fault of Windows, a new version of reality is being presented that insists that Windows is now more secure than ever, and that the real security problems lie with Linux, Macs, and the iPhone.

Back in 2005, Symantec announced that “Mac users may be operating under a false sense of security as a noteworthy number of vulnerabilities and attacks were detected against Apple Mac’s operating system, OS X…. While the number of vendor-confirmed vulnerabilities in OS X has remained relatively constant during the last two reporting periods [12 months], Symantec predicts this could change in the future.”

The only thing holding back a Windows-style security crisis for the Mac platform, according to Symantec, was popularity: “as OS X increases in popularity, so too will the scrutiny it receives from potential attackers.”

Vulnerability Counting.Prior to Symantec’s warning, Mac OS X was already receiving scrutiny from security companies. Secunia listed 36 advisories for Mac OS X in 2003 and 2004, compared to the 46 it had listed for Microsoft Windows XP and 60 advisories for Sun’s Solaris 9 during the same period.

Clearly, advisory counts alone were not a good indicator of overall security. Windows XP users were suffering such a severe security crisis that Microsoft was forced to overhaul and delay its plans for Longhorn/Vista to address the problems. At the same time, there were no serious problems derailing the development of Solaris or Mac OS X, and no ongoing malware crisis for users of those operating systems.

Despite that obvious reality, Secunia chief executive Niels Henrik Rasmussen insisted in 2004 that his numbers demonstrated that “The myth that Mac OS X is secure… has been exposed.”

Matthew Broersma of Techworld reported Secunia’s findings in an article titled “Mac OS X security myth exposed,” which opened with the line, “Windows is more secure than you think, and Mac OS X is worse than you ever imagined.”

Why was Windows more secure than we thought? Broersma trotted out statistics that pointed out that “33% of the OS X vulnerabilities were ‘highly’ or ‘extremely’ critical by Secunia’s reckoning, compared with 30% for XP Professional.” Of course, those percentages were of different numbers of security advisories. By most calculators, the Mac’s 33% of 36 is actually a fraction lower than XP’s 30% of 46.

In the years since, Broersma’s claim that ‘Windows was more secure than anyone thought’ didn’t do anything to actually safeguard Windows users from years of active malware problems, and the ‘worse than imagined’ security in Mac OS X didn’t result in any viruses turning up, nor even any real Mac malware problems at all.

The Problems with Advisories.Many of Secunia’s security advisories for Mac OS X were simply notices that Apple had patched otherwise unreported and unknown flaws.

That’s why Secunia’s site warns, “The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.”

That warning didn’t stop journalists like Broersma from printing sensational numbers that were completely misleading. Rather than counting reports of security information, take a look at how many vulnerabilities remain unpatched. From 2003 to 2007, Secunia reported:

105 security advisories for Mac OS X, 5 currently unpatched

185 security advisories for Windows XP, 29 currently unpatched

So far this his year, Secunia has reported:

11 security advisories for Windows Vista, 2 currently unpatched

18 security advisories for Mac OS X, 3 currently unpatched

Secunia also lists another 115 Secunia advisories for Internet Explorer 6, 20 of which are currently unpatched. IE 7, released last fall, has 15 advisories, of which 9 are unpatched. According to Microsoft, IE is an innovative part of Windows that is impossible to remove from its operating system. If that’s the case, how is it that vulnerability counters artificially separate IE and Windows when reporting on the overall security of the platform?

The Vulnerability Distraction from Real Security.Security reports for both Mac OS X and Linux commonly include hair pulling warnings about vulnerabilities in open source software that is distributed with those operating systems, including the Apache web server and MySQL database. These have no affect on users who don’t manually turn on database or web hosting services.

Microsoft’s vulnerably reports do not include flaws in its IIS web server or SQL Server products, as Microsoft sells these separately and at extra cost. That makes vulnerability counts easy to misrepresent.

Vulnerability counts also confuse together issues that are merely reported for informational purposes that pose no real threat with those that are critical and dangerous. They also confuse actual, exploited problems with theoretical flaws that will never actually cause a problem. For example, many of Secunia’s Mac OS X advisories were based on issues Apple reported in its patches, before the public ever knew there was a flaw to fix.

No amount of numbers can erase the huge expense involved in decontaminating, patching, and cleaning up Windows PCs, something that has no equal on other platforms. Microsoft insisted that Windows XP was the most secure Windows ever, at least until the release of Vista when it conceded that XP was riddled with architectural flaws that Vista thoughtfully fixed. Vista is now the most secure Windows ever, but based on previous awardees of that crown, that doesn’t mean much.

The Tale that Dogs the Wags.PC wags had long complained that Mac OS X was just as vulnerable as Microsoft Windows. Lance Ulanoff of PC Magazine reported in 2003 that he “was happy to learn earlier this month about the discovery of a significant security hole in the Jaguar and Panther versions of the Apple operating system.”

“The truth is,” Ulanoff announced, “that the Mac OS is just as vulnerable as Microsoft Windows. Overall, maybe OS X is better than Windows, but that’s not the point.” The point was that a potential DHCP vulnerability Ulanoff had heard about in Mac OS X was enough satisfy his mind that the $55 billion in losses suffered by businesses in 2003 from their use of Windows was now completely irrelevant.

Macs would now serve as a convenient new scapegoat for Window’s security problems. Extremists of all kinds have long pretended to solve significant problems by creating a distraction and blaming an innocent minority. Ulanoff even referred to “those on the Mac fringe” as radicals and fanatical devotees, making it clear that since Macs Weren’t With Us, They Were Against Us.

If Macs ever became popular, the potential security threats they might introduce could be a formidable problem to address. All the better reason to avoid any contact and perhaps round them up in internment camps.

Security by Obscurity.Windows Enthusiasts like to repeat that the only reason Macs aren’t plagued with a Windows-like security crisis is because there aren’t enough people interested in attacking Macs. With an active installed base of more than 20 million Mac users, about half of which are in the US, it does make sense for spammers to target attacks at the nearly 1,000 million Windows PCs on the planet, about a quarter of which are in the US.

The fact that Windows is a big, easy target does help the Mac platform remain unattractive to attacks. A related fact is that there are lots of ready-to-deploy malware delivery tools for Windows. Of the hundreds of thousands of known Windows viruses, there are less than 100 that are responsible for nearly all damage suffered by users. They simply keep getting reused because they work.

There are no viruses for Mac OS X. Of course, there is no magical barrier that prevents malware from being developed for Macs; it is trivial to create a Mac application or script designed to delete files or display ads. What prevents this potential from becoming a problem is that there are no easy ways to shove malware on users, install it without their knowing and in a way that is difficult to remove, and get it to automatically replicate and distribute itself.

This is easy to do on Windows. Malware installation can be automated using insecure methods Microsoft included to allow IT staff to distribute software. Once installed, malware can list itself in the byzantine Windows Registry so that it will automatically reinstall after the user tries to remove it. Poorly conceived scripting environments make it easy for viruses to replicate. Poor privilege control and unsecured network services make it easy for PCs to establish connections with other systems and propagate their infections.

Transparent Security.Deriding Macs for their supposed “security through obscurity” actually gets things backward however. The core of Mac OS X, including its kernel and BSD userland, is open source that can be examined like a set of blueprints to determine how the system works, and how it could be attacked. Mac OS X also incorporates external open source code including the Apache web server, and other open code maintained by Apple including the WebKit rendering engine that powers its Safari web browser.

While access to this source code isn’t necessary for finding flaws and vulnerabilities that could be exploited by attackers, it does make it much easier to discover issues and test them. It also makes it possible for third parties to recommend and develop solutions for potential problems.

Conversely, Microsoft’s NT kernel and core OS inside Windows NT, 2000, XP, and Vista has always been closed source, making it far more difficult for third party researchers to examine how it works and directly locate vulnerabilities. The rendering engine of Internet Explorer is also closed source, making it another black box.

That closed nature hasn’t prevented security exploits however; Windows users have suffered more frequent and serious attacks than any other platform on earth.

The real delusional failure of “security by obscurity” is therefore in Windows itself. While any security expert can examine Mac OS X’s foundations for cracks, the only experts who can afford to painstakingly engineer exploits for Windows are those getting paid to design methods to reliably deliver viral adware or spam distribution bots.

Why Apple is Outpacing Windows in Security: It’s Not Size.Despite being a mere 3% of the world’s installed base of PCs, Macs get an equal degree of security scrutiny; it’s just that the examination comes from engineers who largely have the goal of advancing the state of the art in security rather than spammers who have a viral business model to advance.

Apple has the advantage of benefiting from contributions made by the open security community, something Microsoft lacks because it maintains a nonstandard, closed core OS that nobody can freely peruse.

Apple also has the advantage of lacking Window’s attractive target for spammers; Apple has far fewer insecure legacy mechanisms to exploit and no existing malware industry for spammers to leverage in creating new exploits. Windows exploits serve a huge spam and spyware industry, and are worth big money.

Apple also maintains platforms that are easy to patch and keep up to date. That is by far the biggest reason why spammers have little love for the Mac; all their work becomes obsolete as soon as the next patch rolls out. Microsoft’s updates are rolled out in minor patches that are annoying to install, preventing users from spending the time to do it. A clean install of Windows XP SP2 will download over 50 patches, with multiple reboots.

Having more Macs on the planet won’t negate any of those factors. Even if Apple were to triple in size and command a 10% share of the world’s PC sales, there would continue to be very strong barriers to malware and security attacks on the platform. Mac OS X wouldn’t spontaneously develop a Windows Registry or a flawed Internet Explorer browser, or inherit bugs that have been hiding in Microsoft’s closed code for years.

Apple Wants Your Business More than Microsoft.In addition to being less interesting to spammers, Macs are also more valuable to Apple than Windows PCs are to Microsoft. Every Mac sold is a hardware and software profit to Apple, and an opportunity to build a relationship involving services and additional software. Apple has invested millions in building out a retail business to enhance its relationship with its consumers, providing advice, training, and accessory sales.

Apple promotes its security and reliability as key Mac advantages, and delivers upon those promises with regular updates. Since 2000, Apple has delivered 34 free OS updates to Mac OS X, not including many other security updates, firmware updates, other applications updates, and architecture-specific versions of the same update. Microsoft has delivered just two free OS service packs for Windows XP in the same half decade long period.

The reason Microsoft isn’t servicing Windows is because there’s no money in it. Every Windows PC sold is only a minor software license fee for Microsoft. OEMs typically pay Microsoft fees of around $30 each to mass license all their PCs. That gives Microsoft little incentive to support existing customers with security and bug fixes. As Bill Gates famously told Focus magazine back in 1995:

“The reason we come up with new versions is not to fix bugs. It’s absolutely not. It’s the stupidest reason to buy a new version I ever heard. When we do a new version we put in lots of new things that people are asking for. And so, in no sense, is stability a reason to move to a new version. It’s never a reason.”

Gates was explaining that people buy software to obtain perceived value, and that users commonly don’t see value in paying for fixes to a product’s outstanding flaws. People generally expect to gain significant new features. Of course, even there Apple has Gates beat: it has delivered three paid OS upgrades in the same period Microsoft has struggled just to deliver Vista.

Microsoft’s inability to deliver new products is also tied into its security problems. After a decade of tacking on new features but failing to address bugs and security issues, Microsoft was left with the crumbling ruins of a full blown security disaster and a lot of unhappy customers. Microsoft’s soiled reputation for software quality, security, and reliability began forcing users to examine alternatives. The company’s launch of Vista has been greatly underwhelming, despite its promise to solve all of Microsoft’s security issues.

Vista’s Security Illusions.Microsoft did pour lots of resources into Vista. Unfortunately, Vista can’t fix the Windows Registry or other significant architectural problems because existing Windows applications depend upon them. What it could do is bolt on entirely new security features such as User Account Control.

UAC asks the user for confirmation before performing any action that would require elevated privileges, and was lampooned by Apple in its “you are coming to a sad realization, cancel or allow?” ad.

UAC drops the burden of security issues on the user, but does this so frequently that users are overwhelmed by constant approval requests. That simply trains users to dismissively approve everything. That’s not security, it’s the illusion of security to create a false sense of security, just like taking fingernail clippers and bottles of shampoo off of airplanes.

Vista also delivers a protected mode for Internet Explorer 7.0, which helps to prevent malicious code from accessing system resources outside of a sandbox of temporary files. This helps, but doesn’t protect against all attack types. IE 7.0 is also available for XP, but it doesn’t provide this protected mode security on XP.

Microsoft also includes Windows Defender, a spyware tool it acquired from Giant Company Software. It also offers a paid subscription to its OneCare anti-virus service. OneCare explains why Microsoft never bundled a free virus scanner with Windows XP; it was gearing up to sell its own product to protect users from the painful multibillion dollar problem it created.

In Vista, Microsoft doesn’t sign up users to OneCare by default, it simply throws up a repeated warning insisting that users buy an antivirus program for their own protection, then directs them to a page offering OneCare along with other non-free third party solutions.

Back In March, Mark Hachman reported for PC Magazine, “a well-regarded antivirus testing laboratory has released its latest quarterly results, and placed Microsoft’s OneCare antivirus solution squarely at the bottom of the list.” If Microsoft–with its home field advantage–can’t even copy the anti-virus industry and develop its own subscription service to bill users for the failings of its own security incompetence, that doesn’t lend much credence to Microsoft’s other claims that Vista is a silver bullet for the problems of Windows security.

Security Panic and the iPhone.It should come as no surprise that the Windows Enthusiasts who have insisted–in contradiction of plain and obvious reality–that Mac OS X was “just as vulnerable as Windows,” are now insisting that Microsoft presides over a completely secure set of products that suddenly have no outstanding problems, and that Apple’s products are plagued with constant security issues.

Among the torrent of bad news for Mac OS X was the recent announcement by an anonymous source that a new worm would soon appear and create widespread devastation. However, after creating headlines, the source disappeared, complaining that he’d been scared off by ‘death threats from fanatical Mac users.’

A more credible threat recently appeared for Safari, which claimed the ability to exploit users of the iPhone, enabling the potential for a malicious user to direct them to tainted websites and run arbitrary commands.

While this was a real security issue presented by reputable security researchers, what it really highlights is the actual security in Safari and the iPhone. This exploit was easy for experts to identify because Safari’s rendering engine is open source. They were also able to recommend a solution, and Apple was able to rapidly deliver a patch for both its desktop and iPhone users.

That patch appeared within a month of the iPhone’s debut. This kind of security service is unheard of on any platform, let alone mobile devices, which rarely get any updates. When they do, it commonly involves a update procedure so complex that many users never bother to install it. The reason Apple can service the iPhone is that it’s making an integrated profit on the hardware, software, and service involved, so it is able to invest in delivering a secured platform.

The iPhone’s Security vs Palm.The fact that the iPhone works like an iPod is also a security feature. Anyone stealing a Palm OS device can plug it into their own PC with Palm’s HotSync software installed and simply pull off all its data. Anyone stealing an iPhone can plug it into their own copy of iTunes, but they won’t be able to pull off the data, because it intentionally only syncs with one library.

The thief will only be able to see a grayed-out listing of the installed songs, videos, and podcasts in iTunes. If the iPhone is passcode protected, they won’t be able to look through emails, SMS messages, or contacts. Plugging a locked iPhone into its own copy of iTunes can unlock it, but this won’t work for a thief using another computer or logged in as a different users. It is very difficult, although not completely impossible, to remove data from a locked iPhone, because Apple designed it with a reasonable degree of security in mind.

Windows Enthusiasts have been crowing that the iPhone doesn’t support “secure email.” It does; SSL encrypted IMAP is secure by anyone’s measure. Companies that don’t want to risk exposing their Exchange Server to the public Internet for fear that Windows would be immediately compromised can also set up a VPN and force iPhone users to connect via a secured tunnel before checking their mail.

Secure Messaging vs BlackBerry.What the iPhone currently lacks is support for BlackBerry’s BES push messaging, which users assume is secure because RIM says it is. However, it uses proprietary protocols to deliver email, so its security is not open to third party review by anyone who’d like to take a look.

Last fall, Symantec’s John O’Connor published findings that detailed that the BlackBerry isn’t as secure as its users like to think. User installed applications have access to do anything on the system, including reading and editing messages, relaying private information out to a malicious host, sending out premium paid messages, and propagating malware to other devices.

The BlackBerry uses a code signing system to ensure that third party applications are trusted, but a code signing key can be purchased by anyone for just $100, even using a prepaid credit card that leaves no trail. O’Connor wrote that a “motivated attacker could develop a range of deceptive or malicious software that could not only compromise the BlackBerry handheld device and its data, but the integrity of the corporate network to which it is attached.”

Enterprise pundits excited about the BlackBerry might do well to consider that users can’t install any applications on the iPhone at all–even without BES policy–ruling out a wide class of security exploits. At the same time, the iPhone can work with open, standards based web apps, enabling it to authenticate into private Intranet services and access information without any ability to download or relay that information to other, untrusted hosts.

Revocation and Management Security vs Windows Mobile.Another thing lacking on the iPhone is the ability for IT managers to remotely control it. Windows Enthusiasts like to feel secure that they can remotely revoke and wipe a Windows Mobile smartphone from their console, preventing a fired user from accessing and appropriating corporate data.

The iPhone is a “security nightmare” for pundits who believe in a security illusion invented by Microsoft, primarily because there are no buttons to push to manage or revoke an iPhone. The real issue of mobile security has two sides to consider however.

The first relates to the iPhone. As noted above, the iPhone can access and read documents via the web without actually downloading them. This makes the iPhone the most secure web platform device that has ever existed. Most any other PC or device that connects to the web can download and store documents locally.

At the same time, the iPhone can send and receive email with document attachments, just as any other phone can. There is no published provision for killing an iPhone remotely and deleting its stored email, the only place it can store documents. There’s also no central tool for disabling its camera or preventing it from connecting to insecure WiFi access points. These all depend upon the user, so companies that don’t trust their employees can’t trust the iPhone either.

However, the second side of mobile security–Microsoft’s existing Windows Mobile technology–makes the overreaching desperation expressed by such pundits as nCircle’s Andrew Storms and Gartner’s Ken Dulaney appear laughable. Both have recorded their disgust that the Apple hasn’t supplied any remote revocation features comparable to Microsoft’s. The problem is that Microsoft’s revocation feature is a joke.
Revocation allows an administrator to remotely reset a phone, which clears all settings and deletes all data. However, for Windows Mobile devices prior to the version 6.0 released earlier this year, revocation does not wipe memory cards.

Since all Windows Mobile devices come with a tiny amount of installed Flash, removable cards would be where the majority of that sensitive data would be. This highly touted revocation feature is therefore not even installed on the majority of Windows Mobile devices in a way that would provide any effective sort of corporate security.

The missing security that Dulaney has been repeating ad nauseam about the iPhone is not security; it’s that false sense of security that Windows Enthusiasts like to delude themselves with.

Gartner wants its clients to be excited about vendors that pretend to do things that they can’t really deliver, but which sound good.

The USB Mass Storage / RAM Card Security Hole.In contrast, rather than gloating about features that don’t really work, Apple designed a device that has no data card expansion security hole. The iPhone builds in a functional amount of Flash RAM, 32 – 128 times as much as every competing smartphone that ship with Windows Mobile, Palm OS, or RIM’s BlackBerry OS.

That’s one less way for corporate data to be popped out of a stolen mobile and recovered by a thief. Anyone who pays any attention to the supposed security experts who file missives about the danger of anything from Apple will recall the hue and cry over the iPod, and how it might enable employees to syphon off corporate data into the device surreptitiously.

However, the iPhone doesn’t even act as a USB storage device. It also only syncs with the device it was configured to sync against, so there’s no easy way to pull off sensitive data and push it elsewhere.

iPhone Managed Preferences.As for the rest of the “mobile management technology” that pundits love to embrace as a special gift of fire from Microsoft’s Mount Olympus, it should be kept in mind that all of these features are only managed preferences, something Apple has already delivered in its own Enterprise product, Mac OS X. Managing a mobile device isn’t some complex task; it is as simple as sending it a new preference file.

Certainly a company that can embarrass Microsoft by securely selling online music to millions of customers worldwide at the rate of 3.9 million songs per day and that can embarrass Microsoft by releasing a user interface that appears a decade in advance of its quaint Windows Mobile phones will also not be stymied at the idea of delivering a simple system to send iPhones a secure preference file that can turn the camera off or cause it to reset itself.

What do you think? I really like to hear from readers. Comment in the Forum or email me with your ideas.

Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!